Joint Concept of Operations for. Global Information Grid NetOps

Transcription

1 10 August 2005 Joint Concept of Operations for Global Information Grid NetOps i UNCLASSIFIED

2 ii UNCLASSIFIED

3 Executive Summary Introduction The Unified Command Plan (UCP) assigns the missions of Information Operations (IO) and Global Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) to Commander, US Strategic Command (CDRUSSTRATCOM). Included in these missions is the responsibility to operate and defend the Global Information Grid (GIG). NetOps is the operational construct that the CDRUSSTRATCOM will use to operate and defend the GIG. The goal of NetOps is to provide assured and timely net-centric services across strategic, operational and tactical boundaries in support of DOD s full spectrum of war fighting, intelligence and business missions. The desired effects of NetOps are: assured system and network availability, assured information protection and assured information delivery. This Concept of Operations (CONOPS) provides a high level description of the key attributes of NetOps: Essential Tasks, Command and Control Operating Principles, Command and Control Structure and Relationships, and the Collaborative Command and Control Process. NetOps Essential Tasks NetOps is an integrated approach to accomplishing the three interdependent tasks necessary to operate the GIG GIG Enterprise Management (GEM), GIG Network Defense (GND) and Information Dissemination Management / Content Staging (IDM/CS). NetOps is not simply GEM and GND and IDM/CS tacked together. Rather, it is the methodical integration of individual capabilities and the resultant synergy. NetOps Command and Control Operating Principles Starting in the late 1990 s, the DoD began evaluating the benefits that Information Age technology can bring to military operations. The vast improvements in information sharing realized by applying Information Age technology to military Command and Control (C2) significantly improve our agility and speed of command. These ideas evolved into the concept of Net-Centric Operations and Warfare (NCOW). NetOps is a net-centric operation, and faces the same set of C2 challenges as any other Joint Force Operation. As a critical enabling capability to achieving net-centricity, NetOps must adopt Information Age C2 structures and processes. For DoD to achieve net-centricity, the GIG must be operated net-centrically. The NetOps Community of Interest (COI) must lead the way in adopting collaborative C2. The NetOps COI must be able to operate and defend the GIG in a net-centric manner, in order for the DoD to realize the benefits of NCOW. NetOps Command and Control Structure and Relationships The NetOps COI is the term used to describe the collaborative group of organizations responsible for operating and defending the GIG. The NetOps COI must exchange relevant information in pursuit of their shared objective and mission to operate and defend the GIG. Under the authority vested in the Commander, USSTRATCOM, the NetOps COI consists of organizations from the Office of the Secretary of Defense, Joint Chiefs of Staff, Combatant Commands, Military Services, Defense Agencies, Other US Government Agencies, Intelligence Community, coalition partners and Non- Government Organizations (NGO) that must interact to accomplish NetOps in support of the DoD mission. This CONOPS applies to the entire NetOps COI and will govern their operational iii UNCLASSIFIED

4 conduct. It will be used to develop deliberate plans, support crisis action planning, and orders production. Non-DoD organizations connecting to the GIG will comply with this CONOPS. Collaborative NetOps Command and Control Process C2 is the ability to recognize what needs to be done in a situation and to ensure that effective actions are taken to achieve the desired effect with minimum adverse impact. At its core, C2 is about decision-making and the individuals who make decisions. NetOps C2 must be a joint decision-making process that is dynamic, decentralized, distributed, and highly adaptive. Enabled by a robust, secure, integrated network, and through the employment of Collaborative Information Environments (CIEs), the NetOps COI will possess a seamless C2 capability. Supported by skilled personnel trained in joint NetOps and standardized NetOps Tactics, Techniques, and Procedures (TTPs), the NetOps COI will be able to create desired GIG effects at the right time and place to accomplish the mission. iv UNCLASSIFIED

5 Table of Contents Executive Summary...iii Table of Contents... v List of Figures...viii 1 NetOps Overview Mission Effects NetOps Essential Tasks Overview GIG Enterprise Management Information Technology Services Critical Capabilities Effects Enablers GIG Network Defense Fundamental Attributes Critical Capabilities Effects Enablers Information Dissemination Management / Content Staging Core Services Critical Capabilities Effects Enablers NetOps Command and Control Operating Principles Overview Net-Centric Operation and Defense of the GIG Self-Synchronization of NetOps C2 and NetOps Decision Making Theater & Global NetOps Events Theater NetOps Events Global NetOps Events Principles of NetOps Command and Control NetOps C2 Structure & Relationships v UNCLASSIFIED

6 4.1 NetOps Community of Interest Organizational Roles and Capabilities Commander, US Strategic Command Commander, Joint Functional Component Command for Network Warfare Commander, Joint Task Force-Global Network Operations Global NetOps Center JTF-GNO Operational Forces and Service Components Commander, Global NetOps Support Center Commander, Theater NetOps Center Commander, GIG Infrastructure Services Management Center JTF-GNO Service Component Commands Service Global Network Operations and Security Centers and Computer Emergency / Incident Response Teams Combatant Commands Geographic Combatant Commands Theater NetOps Control Center Service Theater Network Operations and Security Centers United States Army United States Navy United Sates Marine Corps United States Air Force Functional Combatant Commands Global NetOps Control Center Sub-Unified Sub-Unified NetOps Control Center Joint Task Force Joint NetOps Control Center Defense Agencies DoD Agency Theater Network Operations and Security Centers DoD Agency Global Network Operations and Security Center Defense Information Systems Agency Interagency Director of National Intelligence Intelligence Community Incident Response Center National Security Agency The Defense Intelligence Agency National Communications System NetOps C2 Structure Global NetOps C Theater NetOps C Collaborative NetOps C2 Process Overview NetOps C2 Process The Basic NetOps C2 Process and Its Component Functions vi UNCLASSIFIED

7 Monitor and collect data on the situation Develop an understanding of the situation Develop a course(s) of action and select one & Develop a plan to execute the selected course of action Execute the plan, to include providing direction and leadership to subordinates Monitor execution of the plan and adapt as necessary Collaboration Collaborative C2 Functions Linking the Basic and Collaborative NetOps C2 Processes NetOps Shared Situational Awareness Overview NetOps Situational Awareness Capability NetOps Situational Awareness Content NetOps Situational Awareness Responsibilities Combatant Commander Responsibilities Component, Service, Agency, Sub-Unified, and JTF Responsibilities Appendix A: References Appendix B: Glossary Appendix C: Acronyms vii UNCLASSIFIED

8 List of Figures Figure 1: NetOps Essential Tasks and Effects... 3 Figure 2: USSTRATCOM Operational C2 Structure Figure 3: JTF-GNO Staff Organization Figure 4: JTF-GNO Operational Forces Figure 5: JTF-GNO Service Components Figure 6: US Army NetOps Forces Figure 7: US Navy NetOps Forces Figure 8: US Marine Corps NetOps Forces Figure 9: US Air Force NetOps Forces Figure 10: Global NetOps C Figure 11: Theater NetOps C Figure 12: The Basic C2 Functions and Process Figure 13: Collaborative C2 Process Figure 14: Linking the Basic and Collaborative C2 Processes Figure 15: GIG SA Reporting Flow viii UNCLASSIFIED

9 1 NetOps We must change the paradigm in which we talk and think about the network; we must fight rather than manage the network and operators must see themselves as engaged at all times, ensuring the health and operation of this critical weapons system. ~ Secretary of Defense Donald Rumsfeld 1.1 Overview NetOps is defined as the operational construct consisting of the essential tasks, Situational Awareness (SA), and C2 that CDRUSSTRATCOM will use to operate and defend the GIG. This document explains how NetOps is essential for enabling net-centric operations. NetOps operators are responsible for performing the functions to sustain the operational readiness of the GIG. NetOps operators are defined as those people that are performing and managing NetOps functions as discussed in this document. As a result of this CONOPS, these operators will be better able to: Monitor the performance and capabilities of the GIG. Optimize the GIG. Manage risk of service disruption. Collaborate worldwide. Defend the GIG. Provide SA of the GIG. The following terms are used throughout this CONOPS and require a universal understanding. Global Information Grid. The GIG and its assets are defined in Department of Defense (DoD) Directive , as follows: Globally interconnected, end-to-end set of information capabilities, associated processes, and personnel for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes all owned and leased communications and computing systems and services, software (including applications), data security services, and other associated services necessary to achieve Information Superiority. It also includes National Security Systems (NSS) as defined in section 5142 of the Clinger-Cohen Act of The GIG supports all DoD, National Security, and related Intelligence Community (IC) missions and functions (strategic, operational, tactical, and business) in war and in peace. The GIG provides capabilities from all operating locations (bases, posts, camps, stations, facilities, mobile platforms, and deployed sites). The GIG provides interfaces to coalition, allied, and non-dod users and systems. The GIG includes any system, equipment, software, or service that meets one or more of the following criteria: Transmits information to, receives information from, routes information among, or interchanges information among other equipment, software, and services. 1 UNCLASSIFIED

10 Provides retention, organization, visualization, information assurance, or disposition of data, information, and/or knowledge received from or transmitted to other equipment, software, and services. Processes data or information for use by other equipment, software, and services. Net-Centric Services. Net-centric services will provide DoD organizations access to reliable, decision-quality information through net-based services infrastructure and applications to bridge a real-time or near-real-time COI. The services will empower the edge user to pull information from any available source, with minimal latency, to support the mission. Its capabilities will allow GIG users to task, post, process, use, store, manage and protect information resources on demand for warriors, policy makers and support personnel. 1.2 Mission The NetOps mission is to operate and defend the GIG. Unlike many missions that are deemed successful at a defined completion date, the NetOps mission is perpetual, requiring continual support to be successful. NetOps will provide assured net-centric services in support of DoD s full spectrum of war fighting, intelligence, and business missions throughout the GIG, seamlessly, end-to-end. An objective of net-centric services is to quickly get information to decision-makers, with adequate context, to make better decisions affecting the mission and to project their decisions forward to their forces for action. If the decision maker is not getting the needed net-centric services, the GIG NetOps community must collaboratively determine who must take action and how information flow can be optimized. This requires NetOps personnel to have a shared SA as well as the technologies, procedures, and collaborative organizational structures to rapidly assess and respond to system and network degradations, outages, or changes in operational priorities. All functions required to most effectively support GIG operations will be holistically managed. The effectiveness of NetOps will be measured in terms of availability and reliability of netcentric services, across all domains, in adherence to agreed-upon service levels and policies. The method for service assurance in a net-centric collaborative environment is to establish operational thresholds, compliance monitoring, and a clear understanding of the capabilities between enterprise service/resource providers and consumers through Service Level Agreements (SLAs). Proper instrumentation of the GIG will enable monitoring of adherence to these SLAs, as well as enable timely decision-making, service prioritization, resource allocation, root cause, and mission impact assessment. Subsequent TTPs and SLAs will be formalized with appropriate implementation policies to enforce compliance. 1.3 Effects An effect is a result or impact created by the application of military or other power. 1 The desired effects of NetOps are Assured System and Network Availability, Assured Information Protection, and Assured Information Delivery. These effects are all required to achieve and sustain assurance of the NetOps mission. Adhering to the NetOps mission and performing the 1 Smith, Edward A. Effects Based Operations: Applying Network Centric Warfare in Peace, Crisis, and War. Washington, DC; DoD Command and Control Research Program. P.111, UNCLASSIFIED

11 three NetOps essential tasks (GEM 2, GND 3, and IDM/CS) in a standard discipline will provide the war fighter with the desired NetOps effects. The three NetOps essential tasks are discussed further in chapter two. Integration of the NetOps essential tasks must be performed at the strategic, operational, and tactical levels and across all DoD war fighting, intelligence, and business domains for the effects to be successful. Figure 1: NetOps Essential Tasks and Effects Figure 1, titled NetOps Essential Tasks and Effects, was developed to establish a common understanding of the technical composition that must be considered to provide and sustain the effects of NetOps. The center of the diagram illustrates the three NetOps essential tasks, their relationships, and the desired effects once they are transformed into a tightly integrated NetOps capability. The three desired effects are further discussed below. Assured System and Network Availability. Provide visibility and control over the system and network resources. Resources are effectively managed and problems are anticipated and mitigated. Proactive actions are taken to ensure the uninterrupted availability and protection of the system and network resources. This includes providing for graceful degradation, selfhealing, fail over, diversity, and elimination of critical failure points. 2 Note: The concept of GIG NetOps has evolved since its last iteration. The naming convention GIG Enterprise Management (GEM) has replaced what was previously known as Enterprise Services Management/Network Management (ESM/NM) in an effort to more clearly define the parts that make up this NetOps essential task 3 Note: For the purpose of this CONOPS and to convey the global dimension of STRATCOM s mission to defend the GIG, the term GIG Network Defense (GND) is used in this document to encompass Information Assurance (IA), Computer Network Defense (CND), Critical Infrastructure Protection (CIP) and other GIG defense tasks in an effort to more clearly define the scope of this NetOps essential task. This is not intended to replace the terms of IA and CND. 3 UNCLASSIFIED

12 Assured Information Protection. Provide protection for the information passing over networks from the time it is stored and catalogued until it is distributed to the users, operators and decision makers. Assured Information Delivery. Provide information to users, operators, and decision makers in a timely manner. The networks are continuously monitored to ensure the information is transferred with the correct response time, throughput, availability, and performance that meet user needs. 4 UNCLASSIFIED

13 2 NetOps Essential Tasks All operations, while regional in execution, have global consequence and therefore require a global perspective. ~ Gen J.E. Cartwright, CDRUSSTRATCOM 2.1 Overview NetOps integrates three interdependent tasks - GEM, GND, and IDM/CS. NetOps is not simply GEM and GND and IDM/CS tacked together. Rather, it is the methodical integration of each task s individual capabilities and the resultant synergy. The three NetOps essential tasks are discussed in the following sections. 2.2 GIG Enterprise Management GEM is defined as the technology, processes, and policy necessary to effectively operate the systems and networks that comprise the GIG. This essential task merges Information Technology (IT) services with the NetOps critical capabilities Information Technology Services There are five major IT services within GEM. They manage the GIG services and technologies to ensure the effective and efficient operations, performance, availability, and security of GIG information systems, elements of systems, and services. These services must be employed at the strategic, operational, and tactical levels across all DoD warfighting, intelligence, and business domains. Enterprise Services Management. Provides the services for end-user applications, webbased services, remote hosted applications, discovery, storage, operating systems and other IT components of applications. Systems Management. Provides the day-to-day management of computer-based information systems, elements of systems, and services to include software applications, operating systems, databases, and hosts of the end-users. System management comprises all the measures necessary to ensure the effective and efficient operations of GIG information systems, elements of systems, and services. Network Management. Provides the services of a networked system with the desired level of quality and guaranteed availability. Networks included within GEM are located on all three means of communication (terrestrial, airborne, or Satellite Communications (SATCOM)) and they include: switched networks, data networks, Video Teleconferencing (VTC) networks, SATCOM networks, and wireless networks. Satellite Communications Management. SATCOM management is the day-to-day operational management of all apportioned and non-apportioned SATCOM resources, to include appropriate support when disruption of service occurs; provides global SATCOM system status; maintaining global SA to include each Combatant Command s (COCOM s) current and planned operations as well as Space, Control, and Terminal Segment asset and operational configuration management; radio frequency interference resolution management; satellite anomaly resolution and management; and SATCOM interference to the GIG. 5

14 Electromagnetic Spectrum Management. Spectrum planning and management involves the efficient employment of the electromagnetic spectrum including: international planning; frequency allocation; coordination with civilian and other government departments, agencies, military services and components, and allies; frequency assignment, allotment, and approval; protection; frequency deconfliction; interference resolution; and coordination with electronic warfare activities. Spectrum management ensures that the Combatant Commanders and subordinate Commanders have cognizance of all spectrum management decisions that impact accomplishment of their missions Critical Capabilities GEM involves the following NetOps critical capabilities to support the IT services previously discussed. These capabilities for GEM must be employed along with the IT services at the strategic, operational, and tactical levels across all DoD war fighting, intelligence, and business domains. FCAPS. Fault, Configuration, Accounting, Performance, and Security (FCAPS) are required for computing hosts, software applications and connected transmission systems, both wired and wireless, that carry voice, video, data, and imagery. Visibility. Visibility involves knowing the status of the networks and systems that comprise the GIG. Monitoring and Analysis. Monitoring and analysis involves receiving and viewing relevant fault and performance data to determine the impact on current operations and provide trend analysis. Planning. Planning occurs in establishing the computer and communications configurations for an operation: allocating circuits, calculating loads, ensuring spectrum non-interference, and establishing applications to be used in the operation. Contingency planning including backup resources and restoration resources is a critical aspect of GEM planning. Coordinating and Responding. Receives, compiles, and disseminates fault and performance data for systems and networks to create a common network picture and coordinates response to major network outages that could have an operational impact. Management and Administration. Management and administration includes establishing restoration priorities for assigned systems and networks, and developing and overseeing implementation of policies, procedures, and special instructions to subordinate network control centers. It involves planning, coordinating, and approvals for frequency allotments and assignments, SATCOM access, Request for Service (RFS) release, Telecommunication Service Request (TSR), tactical Telecommunication Service Order (TSO) preparation and release, and Communications System tasking. Control. Control involves the ability to perform FCAPS management over all assigned systems and networks Effects Enablers This essential task enables Assured System and Network Availability and Assured Delivery as indicated in Figure 1. The effects of this essential task are achieved by: Information 6

15 Configuring and allocating GIG system and network resources. Ensuring effective, efficient and timely processing, connectivity, routing, and information flow. Accounting for resource usage. Maintaining robust GIG capabilities in the face of component or system failure and/or attack. Rapid, flexible deployment of networked resources. Planning for increased network utilization. 2.3 GIG Network Defense To convey the global dimension of STRATCOM s mission to defend the GIG, the term GND is used in this document to encompass USSTRATCOM s operational responsibilities for Information Assurance (IA), Computer Network Defense (CND), Critical Infrastructure Protection (CIP) and other GIG defense tasks in an effort to more clearly define the scope of this NetOps essential task. This is not intended to replace the terms of IA and CND. Additionally, GIG constituent systems that meet the definition of a NSS must follow the appropriate IA guidelines and policies for NSS. Other GIG systems not designated NSS must be provided adequate IA so as not to jeopardize the security of GIG NSS systems Fundamental Attributes There are five major fundamental attributes within GND. These fundamental attributes help to protect friendly information and information systems while denying adversaries access to the same information and information systems. Protection. Prior actions taken to counter vulnerabilities in GIG information transport, processing, storage, service providers, and operational uses. Protection activities include Emission Security (EMSEC), Communications Security (COMSEC), Computer Security (COMPUSEC), Information Security (INFOSEC), and CIP incorporating physical protection, access control, cryptography, network guards, and firewall systems. Monitoring. The monitoring of information systems to sense and assess abnormalities, the use of anomaly and intrusion detection systems. Detection. Timely detection, identification, and location of abnormalities to include attack, damage, or unauthorized modification is key to initiating system response and restoration actions. Analyzing. Assess pertinent information to determine indications and warnings, SA, evaluate system status, identify root cause, define Courses of Action (COA), prioritize response and recovery actions, and conduct necessary reconfiguration of GIG assets as needed. Responding. Directed actions taken to mitigate the operational impact of an attack, damage, or other incapacitation of an information system. Response also includes restoration -- the prioritized return of essential information systems, elements of systems, or services to preevent capability. Computer Network Defense Response Actions (CND RA) include defensive and restoration actions. Response Actions (RAs) are deliberate, authorized defensive measures or activities that protect and defend DoD computer systems and networks under attack or targeted for attack or exploitation by adversary computer systems/networks. 7

16 RAs expand DoD s layered defense-in-depth capabilities and increase DoD s ability to withstand adversary attacks or exploitations. Objectives for using CND RAs include: Strengthening DoD s defensive posture and operational readiness. Halting or minimizing attack and exploitation effects or damage. Supporting rapid, complete attack or exploitation characterization Critical Capabilities GND involves the following NetOps critical capabilities to support the fundamental attributes previously discussed. These capabilities for GND must be employed along with the fundamental attributes at the strategic, operational, and tactical levels across all DoD war fighting, intelligence, and business domains. Visibility. Visibility involves knowing the status of the security of the GIG to include the configuration of each device and current threats to the GIG. Monitoring and Analysis. Monitoring and analysis involves receiving and viewing all GND events and incidents to determine the impact on current operations and provide trend analysis. Planning. Planning occurs in establishing defense-in-depth configurations, assigning monitoring responsibilities, anticipating contingency operations for a given set of cyber attacks/failures and coordinating NetOps Priority Information Requirements (PIR) with COCOM PIRs. Coordinating and Responding. Receives, compiles, and disseminates GND events and incidents to create a common GND picture and coordinates and directs response to major GND events and incidents that could have an operational impact. Management and Administration. Management and administration involves collecting and consolidating intrusion detection reports and data, assessing the compiled data, and reporting the results to the appropriate command authorities. Management involves coordinating the efforts of subordinate network control and operations centers to detect, isolate, and contain GND events and incidents. Management establishes policies and procedures to govern GND Rules of Engagement (ROE) for subordinate centers. It also maintains and oversees implementation of network defense initiatives and compliance with Information Assurance Vulnerability Alerts (IAVA) procedures. Control. Control involves the ability to maintain and direct automated intrusion detection systems and devices. It also involves the implementation of IAVA on systems Effects Enablers This essential task enables Assured Information Protection and Assured System and Network Availability as indicated in Figure 1. The effects of this essential task are achieved by: Instituting agile capabilities to resist adversarial attacks, through recognition of such attacks as they are initiated or are progressing. Efficient and effective RAs to counter the attack, and, safely and securely recover from such attacks. 8

17 Reconstituting capabilities from reserve or reallocated assets when original capabilities are destroyed. Maintaining correlation activities between user elements to ascertain hostile GND events from other system outages or degradations. 2.4 Information Dissemination Management / Content Staging 4 IDM/CS is defined as the technology, processes, and policy necessary to provide awareness of relevant, accurate information; automated access to newly discovered or recurring information; and timely, efficient and assured delivery of information in a usable format. As IDM/CS becomes more mature, the complete complement of its services will be available for use by all authorized DoD GIG users as a net-centric service. This essential task merges core services with the NetOps critical capabilities Core Services The core services necessary to implement Information Dissemination Management / Content Staging are Content Discovery, Content Delivery, and Content Storage. These core services are envisioned to be enterprise wide services used by the entire DoD to ensure our information is available to all authorized users. The GIG Enterprise Service effort and the Net-Centric Enterprise Services program will deliver these core services. Content Discovery. Content Discovery provides the ability to quickly search for information throughout the GIG. Using any web browser, whether on a desktop computer or wireless device, operational staffs can search across multiple sources from one place, vice making several attempts. Once the product is located, the access service permits the users to pull in the needed product. Content Delivery. Information that is received in the Area of Responsibility (AOR) by the Information Manager (IM) is delivered using the IDM/CS delivery service. Content Delivery provides the user the capability to replicate files and directives, publish, and subscribe to information based on roles and responsibilities, and provide assured, timely transport of the information, to include notification of when the information was read by a distant user. Items are delivered across multiple, heterogeneous communication systems with delivery and read receipt notifications, providing assured delivery of information products. Content Storage. Content Storage provides physical and virtual places to host data on the network with varying degrees of persistence. These information storage capabilities will be located throughout the GIG Critical Capabilities ID M/CS involves the following NetOps critical capabilities to support the core services previously discussed. These capabilities for IDM/CS must be employed along with the core 4 This section discusses the concept of Information Dissemination management / Content Staging. This is not synonymous with the DISA Content Staging system currently being fielded. While DISA s Content Staging system is an implementation of the concept of Content Staging, this concept is much broader than capabilities of the current system. 9

18 services at the strategic, operational, and tactical levels across all DoD war fighting, intelligence, and business domains. Visibility. Visibility involves knowing the status of the information flowing across the GIG and of those systems used to store, catalog, discover and transport information. Monitoring and Analysis. Monitoring and analysis involves viewing information flows and and ensuring that user profiles are being access, determining impact to network capacity, satisfied with a reasonable quality of service. Planning. Planning occurs in establishing prioritized information requirements, sources responsible for providing that information, and staging of information content throughout the GIG in support of a given operation. Contingency planning for disseminating information is a critical aspect of IDM/CS operational planning. Coordinating and Responding. Tracks and maintains knowledge of the various requests and user profiles for information; coordinates changes in the operating parameters of GIG assets; identifies new products; reviews and validates user-profile database; and develops joint policies and procedures governing information. The GIG Integrated Architecture will enable user data pulls, which will minimize the need for central coordination and administration. Management and Administration. Management and administration includes establishing the priorities for information gathering and reporting through the Commander's critical information requirements; emerging intelligence from the Commander s operations area, emerging operational information, and public affairs guidance; developing policy and procedures to govern information flow; directing subordinate forces to develop mission information exchange requirements and user profiles; and incorporating expected information requirements into communications capacity planning. Control. Control involves developing mission information exchange requirements, developing user profiles, and updating and customizing standing user profiles Effects Enablers This essential task enables Assured Information Delivery and Assured Information Protection as indicated in Figure 1. The effects of this essential task are achieved by: Permitting commanders to adjust information delivery methods and priorities for enhanced SA. Allowing information producers to advertise, publish and distribute information to the war fighter. Enabling users to define and set information needs (profiles) to facilitate timely and efficient information delivery and/or search information databases to retrieve desired products as required. Improving bandwidth utilization. Enhancing all aspects of the GIG transport capabilities. 10

19 3 NetOps Command and Control Operating Principles The Department is transitioning to a global force management process. This will allow us to source our force needs from a global, rather than regional, perspective and to surge capabilities when needed into crisis theaters from disparate locations worldwide. Our global presence will be managed dynamically, ensuring that our joint capabilities are employed to the greatest effect. Under this concept, Combatant Commanders no longer own forces in their theaters. Forces are allocated to them as needed-sourced from anywhere in the world. This allows for greater flexibility to meet rapidly changing operational circumstances. ~ The National Defense Strategy, March Overview Most existing C2 philosophy, doctrine, and practices were developed and perfected during the Industrial Age. 5 Industrial Age C2 emphasizes highly centralized planning and uses a linear and sequential process in planning and executing military operations. The underlying principles of Industrial Age C2 resulted in military organizations whose: Hierarchy with numerous layers of command affected the commander s ability to react to changing operational situations. Information flow process depended upon the organizational hierarchy, which led to stovepiped systems and approaches to information management. Minimal sharing of information with other organizations prevented them from taking full advantage of all the available information. The result is a Joint C2 system that lacks agility and is largely inadequate to deal with the challenges of the future operating environment. Sharing information, SA, and understanding of the operating environment is slow and difficult. It employs command by direction or command by plan methodologies that lack sufficient responsiveness to deal with the complexities and uncertainties of the future operating environment. 6 Starting in the late 1990 s, the DoD began evaluating the benefits that Information Age technology can bring to military operations. The vast improvements in information sharing realized by applying Information Age technology to military C2 will significantly improve our agility and speed of command. These ideas evolved into the concept of NCOW. Initially defined as Network Centric Warfare, the concept evolved to include the Business and Intelligence operations of DoD and is now NCOW. NCOW is the best term developed to date to describe the way we will organize and fight in the Information Age. 7 5 Toffler, Alvin. War and Anti-War. Boston, MA: Warner Books Joint Command and Control Functional Concept, February 2004, pp Alberts, Garstka and Stein. Network Centric Warfare: Developing and Leveraging Information Superiority. 2 nd Edition (Revised). 1999, p

20 NCOW is the application of Information Age technology to military C2 resulting in an information superiority-enabled concept of operations that generates increased combat power by networking sensors, decision makers and shooters to achieve shared awareness, increased speed of command, higher tempo of operations, greater lethality, increased survivability, and a degree of self-synchronization. In essence, NCOW translates information superiority into combat power by effectively linking knowledgeable entities in the battlespace. 8 NCOW represents a powerful set of war fighting concepts and associated military capabilities that allow warfighters to take full advantage of all available information and bring all available assets to bear in a rapid and flexible manner. The tenets of NCOW that dramatically increase mission effectiveness 9 are: A robustly networked force improves information sharing. Information sharing enhances the quality of information and shared SA. Shared SA enables collaboration and self-synchronization, and enhances sustainability and speed of command. 3.2 Net-Centric Operation and Defense of the GIG NetOps, as a net-centric operation, faces the same set of C2 challenges as any other Joint Force Operation. As a critical enabling capability to achieving net-centricity, NetOps must adopt Information Age C2 structures and processes. For DoD to achieve net-centricity, the GIG must be operated net-centrically. The NetOps COI (discussed further in section 4.1) must lead the way in adopting collaborative C2. The NetOps COI must be able to operate and defend the GIG in a net-centric manner, in order for the DoD to realize the benefits of NCOW Self-Synchronization of NetOps Key to the NCOW concept is the objective of conducting self-synchronizing operations. Selfsynchronized operations are the collaborative and decentralized initiation and execution of actions by elements of a joint force in support of the desired end state. Also defined as the interaction between two or more entities to operate in the absence of hierarchical mechanisms for Joint C2, self-synchronized operations are a mechanism for communicating the ongoing dynamics of the operational situation and triggering the desired value-added interaction. The requirements for achieving self-synchronization are: A clear and consistent understanding of command intent. High quality information and shared SA. Competence at all levels of the force. Trust in the information, subordinates, superiors, peers, and equipment. 8 Alberts, Garstka and Stein. Network Centric Warfare: Developing and Leveraging Information Superiority. 2 nd Edition (Revised) Ibid, pp. i. 12

21 The command function is not absent in self-synchronized forces; however, it does depend on achieving congruent command intent, shared SA, authoritative resource allocation, and appropriate ROE, as well as similar measures that guide but do not dictate details to subordinates. Moreover, the tenets of NCOW do not assume that self-synchronization is the only way Information Age forces will operate. They argue only that they will be capable of such operations and that those operations will be more effective (greater likelihood of mission accomplishment) and efficient (few forces able to do more). Unless the conditions necessary for self-synchronized operations are met, there is no assumption that it should be employed. The objective of NetOps C2 activities is self-synchronized operation and defense of the GIG. It is impossible to effectively operate and defend the GIG from one centralized headquarters. Effective operation and defense of the GIG requires competent NetOps Operators at all levels that understand the Commander s intent for the GIG and have SA about the GIG. Achieving this objective will: Increase the opportunity for lower-level NetOps organizations to operate nearly autonomously and to re-task themselves through exploitation of shared awareness and the commander s intent. Increase the value of subordinate initiative to produce a meaningful increase in GIG performance and responsiveness. Assist in the execution of the commander s intent for the GIG. Exploit the advantages of a highly trained, professional NetOps workforce. Rapidly adapt when important developments occur in the GIG. 3.3 C2 and NetOps Decision Making The NetOps COI will organize itself and conduct its operations on the basis of the following principles and command relationships. Both are derived from joint war fighting doctrine and guided by the joint operating concepts. USSTRATCOM, in conjunction with other COCOMs, will later establish procedures that provide specifics associated with supported relationships within the NetOps C2 structure Theater & Global NetOps Events A NetOps event is a collective term for all NetOps activities that have the potential to impact the operational readiness of the GIG. To effectively operate the GIG as a global enterprise while realizing the Geographic Combatant Command (GCC) requirements to direct GIG operations in their theaters, CDRUSSTRATCOM developed an event based C2 structure. C2 of GIG operations will be based on the situation at the time. The two possible circumstances that determine the C2 of NetOps are known as Theater NetOps Events and Global NetOps Events. The preponderance of NetOps Events are Theater NetOps Events and are under the control of the GCC and its Service Components. Global NetOps Events occur less frequently but when they do occur, USSTRATCOM will direct the global response. USSTRATCOM, in conjunction with other COCOMs, will establish tactics, techniques and procedures for executing the supported relationships within the NetOps C2 structure. 13

22 Theater NetOps Events Theater NetOps Events are those NetOps activities occurring within a theater that have the potential to impact the operations in the theater. The GCC is the supported commander for Theater NetOps Events. USSTRATCOM and Joint Task Force Global Network Operations (JTF-GNO) provide support to the GCC for Theater NetOps Events. JTF-GNO Service Component Commands provide support for Theater NetOps Events through the Theater Service Component Command if established. Functional Combatant Commands (FCCs) are the supporting commands for NetOps activities that affect or have the potential to affect the GCC s area of operations or mission. Non-DoD activities may also provide support per intra-governmental agreements Global NetOps Events Global NetOps Events are those activities that have the potential to impact the operational readiness of the GIG and require a coordinated response amongst affected Combatant Commanders, Military Services, Defense Agencies and other members of the NetOps COI. CDRUSSTRATCOM is the supported commander for Global NetOps Events and will issue orders and direction through JTF-GNO to the Combatant Commands, Services, Agencies (CC/S/As) and other members of the NetOps COI. GCCs are responsible for leading the Theater response to Global NetOps Events within their theater in accordance with USSTRATCOM & JTF-GNO direction. JTF-GNO Service Component Commands will support the execution of Global NetOps. FCCs are the supported commands where NetOps activities affect or have the potential to affect execution of their assigned missions Principles of NetOps Command and Control These guiding principles apply to all levels of NetOps execution. The objective of NetOps C2 activities is Self-synchronized operation of the GIG. NetOps activities will be executed at the lowest level of command possible. DoD NetOps direction will be executed through the Unified Command chain of command using supporting/supported command relationships. The supported commander has the authority to take whatever NetOps action is deemed necessary to support the mission and has final decision responsibility. All Commanders must continually consider the possible global impact of their actions. Commanders must be fully aware of GIG resource allocations to DoD missions. If a NetOps action has potential global impact, the supported commander must initiate collaboration with the NetOps COI. In time critical situations, such as immediate Computer Network Defense (CND) actions to defend the GIG within an AOR, action may be initiated prior to collaborating or collaboration may be abbreviated. Collaboration must then follow in order to mitigate or remediate global affects, if any. 14

23 NetOps activities affecting Sensitive Compartmented Information (SCI) networks will be executed in accordance with joint procedures defined by the Secretary of Defense (SECDEF) and the Director of National Intelligence (DNI) or their designees. 10 Non-DoD NetOps activities will be executed per memorandum of agreement with the DoD. 10 Secretary of Defense Memorandum, Assignment and Delegation of Authority to Director, Defense Information Systems Agency (DISA), 18 Jun

24 4 NetOps C2 Structure & Relationships The GIG will help enable Network Centric Warfare by improving information sharing among all elements of a Joint Force, and with allied and coalition partners. ~ Network Centric Warfare, DoD Report to Congress, 27 July NetOps Community of Interest The NetOps COI is the term used to describe the collaborative group of organizations responsible for operating and defending the GIG. The NetOps COI must exchange relevant information in pursuit of their shared objective and mission to operate and defend the GIG. Under the authority vested in the Commander, USSTRATCOM, the NetOps COI consists of organizations from the Office of the Secretary of Defense, Joint Chiefs of Staff, Combatant Commands, Military Services, Defense Agencies, Other US Government Agencies, IC, coalition partners and NGO that must interact to accomplish NetOps in support of the DoD mission. The NetOps COI is divided into two general components: DoD and non-dod. Within the DoD, the NetOps COI includes the Military Departments, all Combatant Commands, Services, Defense Agencies and Field Activities. Outside the DoD, the NetOps COI includes allies, coalition partners, other US Government Agencies, state and local governments, commercial and NGO, multinational partners, and regional and international organizations. The NetOps COI is linked together by its need to exchange information in pursuit of common mission accomplishment, shared SA and understanding, planning and decision-making, and who therefore must have a common vocabulary for the information they exchange. 11 As described in DoD Net-Centric Data Strategy, the NetOps COI can be considered a ubiquitous institutional COI that supports the formation of warfighting, intelligence, and business institutional and 12 expedient COIs. This CONOPS applies to the entire NetOps COI and will govern their operational conduct. It will be used to develop deliberate plans, support crisis action planning, and orders production. Non-DoD organizations connecting to the GIG will comply with this CONOPS. It is also applicable to Program Managers (PM) and Program Management Offices (PMO), responsible for net-centric programs supporting both the NetOps COI and NCOW as a whole. 4.2 Organizational Roles and Capabilities Commander, US Strategic Command In addition to other missions, the UCP 2004, dated March 2005, assigns CDRUSSTRATCOM as the Combatant Commander for IO and Global C4ISR. CDRUSSTRATCOM has determined 11 Ibid, p Ibid, pp Communities of interest are also described as permanent and temporary, as well as formal and informal, in the Net-Centric Environment Joint Functional Concept, Version 9.5, 30 Dec 2004, pp See further discussion of Communities of interest in DoD CIO IM Directorate s Communities of Interest in the Net- Centric DoD FAQs, 19 May 04, v

25 that this mission includes directing Global NetOps operations; advocating the NetOps requirements for all COCOMs; and planning and developing national requirements. In order to operationalize missions assigned to USSTRATCOM, the commander delegated operational and tactical level planning, force execution, and day-to-day management of forces to Joint Functional Component Commands (JFCC) (Figure 2). These JFCCs will conduct operations for USSTRATCOM while the Headquarters focuses on strategic-level integration and advocacy of its assigned missions. 13 At the request of CDRUSSTRATCOM, the SECDEF assigned the Director, DISA as the Deputy Commander for Global Network Operations and Defense, with authorities and responsibilities for Global Network Operations and Defense and as the Commander of JTF-GNO. Figure 2: USSTRATCOM Operational C2 Structure NetOps is conducted by JTF-GNO, unless otherwise directed by CDRUSSTRATCOM. Such operations include apprising CDRUSSTRATCOM on NetOps matters impacting the GIG s integrity and support of DoD missions. CDRUSSTRATCOM manages the apportionment and allocation of GIG system and network resources. Competing resource requirements that cannot be resolved will be forwarded through CDRUSSTRATCOM, to the CJCS for adjudication. CDRUSSTRATCOM identifies and advocates for COCOM NetOps requirements through the Planning, Programming, Budgeting, and Execution System (PPBES) process Commander, Joint Functional Component Command for Network Warfare Joint Functional Component Command for Network Warfare (JFCC-NW) is responsible for planning, integrating and coordinating computer network warfare capabilities and integrating with all necessary computer network defense and exploitation capabilities. Network warfare is 13 Commander, US Strategic Command Memorandum Establishment of Joint functional Component Command for Network Warfare, 20 January

26 defined as the employment of Computer Network Operations (CNO) with the intent of denying adversaries the effective use of their computers, information systems, and networks, while ensuring the effective use of our own computers, information systems, and networks. This includes development of information / intelligence support and information assurance requirements for supporting network warfare, the integration of Computer Network Attack (CN A) and Computer Network Exploitation (CNE) capabilities and direct coordination with JTF-GNO Commander, Joint Task Force-Global Network Operations JTF-GNO directs the operation and defense of the GIG to assure timely and secure net-centric capabilities across strategic, operational, and tactical boundaries in support of DoD's full spectrum of warfighting, intelligence, and business domains. The Commander, JTF-GNO (Cdr, JTF-GNO) will exercise Operational Control (OPCON) of the GIG for Global NetOps issues. Under the authority of CDRUSSTRATCOM, JTF-GNO issues the orders and directives necessary to maintain the assured service of the GIG, ensuring that the President, SECDEF, CC /S/As can accomplish their missions. The CC/S/As execute JTF-GNO s directives within their respective areas and report compliance. To achieve this mission, CDRUSSTRATCOM assigned these tasks to the Cdr, JTF-GNO: 1. Direct Operations and Defense of the GIG. 2. Maintain GIG availability and integrity; ensure efficient traffic management. 3. Establish and oversee SA of the GIG readiness and defensive posture. 4. Assist CDRUSSTRATCOM in developing tools, monitoring threats, verifying policy comp liance, and controlling network access for consistent Information Assurance Vulnerability Management. 5. Direct and oversee network defense and information services. 6. Assist in establishing and maintaining standards for network, component, and defensive requirements. 7. Conduct network defense planning, preparation, and operations employment for normal operations and for crisis and deliberate planning. When directed, support deliberate and crisis action planning requested by other COCOMs. 8. Develop, coordinate, integrate, direct and oversee specific network defense COA in support of GIG network operations and defense. Coordinate with CDRUSSTRATCOM for approval authority on Tier 2.1 CND RAs. 9. Support USSTRATCOM participation in exercises and experiments involving GIG network management and defense. 10. Provide intelligence requirements in support of network defense. 11. Provide assessments and recommendations to USSTRATCOM for WATCHCON changes dictated in network threat warning. 12. Provide recommendations to USSTRATCOM for Information Operations Condition (INFOCON) changes. 14 Commander, US Strategic Command Memorandum Establishment of Joint functional Component Command for Network Warfare, 20 January Pending SECDEF approval. 18

27 13. Direct and oversee the establishment and maintenance of standards for technical testing, evaluation, and measures of effectiveness of network operations and defense capabilities. 14. Direct and oversee establishing procedures to provide Department measures of effectiveness and battle damage assessment during and following network defense operations. 15. Assist in formulating guidance for training network operations and defense forces. 16. Assist in developing and promulgating joint TTPs for network operations and defense activities. 17. Identify desired characteristics and capabilities for network operations and defense. The JTF-GNO staff assists the Cdr, JTF-GNO in executing the NetOps mission. (Figure 3) Figure 3: JTF-GNO Staff Organization Global NetOps Center The Global NetOps Center (GNC) is the JTF-GNO Command Center responsible for executing the daily operation and defense of the GIG. The GNC directs, manages, controls, monitors, and reports on essential elements and applications of the GIG in order to ensure its availability to support the needs of the President, SECDEF, CC/S/As, warfighting, business, and intelligence domains. The GNC provides the overall management, control and technical direction for GIG NetOps and oversees a collaborative coordination process involving all CC/S/As. The responsibilities of the GNC include: Direct the operation and defense of the GIG. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Advise JTF-GNO and CDRUSSTRATCOM on matters regarding the allocation and adjudication of GIG resources. 19

28 Advise JTF-GNO and CDRUSSTRATCOM of any matters impacting the GIG s integrity and/or NetOps issues affecting DoD missions. In coordination with CC/S/A, establish and maintain the technical and operational standards by which the GIG SA will be generated across the GIG. Perform global incident/intrusion monitoring and detection, strategic vulnerability analysis, computer forensics, and responses to GND-related activity. Direct COA and coordinate the CND incident RAs across DoD to defend networks under attack. Determine COA and direct restoral of GIG capabilities and services when required. Maintain GI G SA in support of each COCOM s current and near term operations as well as deliberate plans. Maintain visibility, to include security monitoring of the GIG, through an integrated GIG SA view. This is achieved through the integration of Theater NetOps Center (TNC) and Service/ Agency collected and shared GIG SA data. This shared SA view includes wireless, terrestrial, and space based systems; enterprise services; and both the logical and physical infrastructure views of the network. Identify, localize, and resolve GIG security anomalies that affect the GIG s ability to support senior military leadership at the national level, JS, and supported COCOMs. Coordinate GND support to the COCOMs. Coordinate with and receive support from the DoD Law Enforcement and Counter- Intelligence (LE&CI) Center. Manage electromagnetic spectrum interference resolution, satellite anomaly resolution, and global SATCOM systems. The GNC establishes procedures facilitating the ability of adjacent commanders who share a common GIG boundary to: Consider the impact of one s own actions or inactions on adjacent commanders and related business and intelligence communities. Provide access to timely information among adjacent commanders regarding others intentions and actions, as well as those of non-military agencies or the enemy, which may influence adjacent activity. Support adjacent commanders, as required, by establishing a common aim and monitoring the unfolding situation. Coordinate the support provided and received. 20

29 JTF-GNO Operational Forces and Service Components In order to effectively conduct Global NetOps, JTF-GNO was given OPCON over Defense Information System Agency (DISA) NetOps organizations and Service Components. Figure 4: JTF-GNO Operational Forces Commander, Global NetOps Support Center The Global NetOps Support Center (GNSC) provides the day-to-day technical operation, control and management of the portions of the GIG that support Global Operations but are not assigned to a COCOM. The GNSC conducts GIG backbone NetOps, Standard Tactical Entry Point (STEP) mission support, Teleport, provisioning of provided services, network engineering, circuit implementation, and inter-theater connectivity among USNORTHCOM, USPACOM, USEUCOM, USSOUTHCOM, and USCENTCOM areas of responsibility. The GNSC provides general support to the GCCs and TNCs. The GNSC provides direct support to the FCCs. The GNSC provides full-time (24-hour/7-day), near real-time, correlated visibility, monitoring, coordination, control, and management support of the global backbone portions of the GIG. The Commander of the GNSC develops, monitors, and maintains a GIG SA view for the global backbone. To carry out its mission, the GNSC will: Operate and maintain the backbone services of the GIG. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Issue technical directives to ensure compliance with JTF-GNO direction. Provide SA information of GIG backbone services. 21

30 Monitor and collect performance data continuously for those information resources deemed important by JTF-GNO. Provide system and network status (fault and performance) information as part of the SA view. Assist in determining the technical and operational mission impacts caused by degradations, outages, and GND events. Perform incident/intrusion monitoring and detection, strategic vulnerability analysis, computer forensics, and responses to GND-related activity. Direct COA and coordinate the CND incident RAs across DoD to defend networks under attack. Determine COA and direct restoral of capabilities and services when required. Maintain SA in support of each FCC's current and near term operations as well as deliberate plans, as required. Maintain security monitoring through an integrated GIG backbone SA view. Until the USSOUTHCOM TNC is established, the GNSC will provide direct support to the USSOUTHCOM TNCC Commander, Theater NetOps Center The Commander of each TNC is responsible for the effective operation and defense of the GIG within the theater and for providing support to the GCC. The TNC develops, monitors and maintains a GIG SA view for the theater. The theater GIG SA view is aggregated and segmented based on requirements provided by the Theater NetOps Control Center (TNCC). It will include pertinent theater, operational, and tactical-level system and network, GND, and IDM/CS status. To carry out its mission, the TNC will: Operate and maintain the backbone services of the GIG assets located in their theater. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Issue technical directives to Service Theater Network Operations and Security Centers (STNOSCs)/Agency Theater Network Operations and Security Centers (ATNOSCs) to ensure compliance with TNCC and / or JTF-GNO direction. Receive SA information in order to monitor all Theater, Service and/or Service Component, and Agency systems and networks designated as mission critical. Support the CC/S/A by creating, disseminating, and making available the NetOps SA views for the Theater, Service and/or Service Component, and Agency. This is accomplished by integrating NetOps event and status information received from those elements within the TNC AOR that have NetOps reporting requirements. This shared SA view includes wireless, terrestrial, space-based systems, and enterprise services. Coordinate with the TNCC regarding reporting requirements (input data) and view specifications for NetOps SA. Monitor and collect performance data continuously for those information resources deemed important by the COCOM s TNCC or Global NetOps Control Center (GNCC). Provide system and network status (fault and performance) information as part of the SA view. 22

31 Provide the TNCC or GNCC with information security products and services to include the monitoring and reporting of intrusions, physical threats and analysis and correlation of intrusion incidents with Components, Sub-Unified Commands and Joint Task Forces. Assist in determining the technical and operational mission impacts caused by degradations, outages, and GND events. Perform incident/intrusion monitoring and detection, strategic vulnerability analysis, computer forensics, and responses to GND-related activity. Direct COA and coordinate the CND incident RAs across DoD to defend networks under attack. Determine COA and direct restoral of capabilities and services when required. Maintain SA in support of each COCOM's current and near term operations as well as deliberate plans, as required. Maintain security monitoring through an integrated GIG SA theater view. This is achieved through integration of TNC and Service/Agency collected and shared GIG SA data. This shared SA view includes wireless, terrestrial, space-based systems and enterprise services. Identify and resolve computer security anomalies that affect the GIG assets located in their theater. Coordinate theater GND support as directed by the TNCC. Coordinate with and receive support from LE&CI. Manage theater electromagnetic spectrum interference resolution, satellite anomaly resolution, and SATCOM systems Commander, GIG Infrastructure Services Management Center The GIG Infrastructure Services Management Center (GISMC) is the primary DoD enterprise level applications services NetOps center that supports the GNC, GNSC and TNCs with applications layer FCAPS, visibility, monitoring, analysis, planning, management and control. The center facilitates the net-centric transformation of DoD-level enterprise services by optimizing the consolidation and integrated NetOps of the existing and emerging applications networks and services. The applications services infrastructure that the GISMC is responsible for will include DoD s Active Directory, IDM/CS, computing services, GIG DMZ services, NCES, multinational information sharing, and other new and legacy global application services. The GISMC will provide the day-to-day technical operation, control and management of the GIG s infrastructure services that are Global network enablers. It will serve as the NetOps focal point for all critical GIG infrastructure services. The GISMC is under the operational control of JTF- GNO, providing general support to the NetOps COI. The GISMC will facilitate the sharing of enterprise level infrastructure technical and related information across NetOps COIs, thus providing Combatant Commanders, Services, and TNCs SA of infrastructure services outside their span of control, but critical to their mission. Where the GNSC provides day-to-day overall technical NetOps of the GIG backbone, the GISMC will provide applications layer focused day-to-day technical operations, control, and management of the GIG s enterprise-level application-based infrastructure services. The GISMC and the GNSC will coordinate related technical operations, control, and management issues to ensure that GIG NetOps tasks are integrated as shown in Figure 4. 23

32 The GISMC will execute the FCAPS functions IAW JTF-GNO policies as supported by current NetOps tools and processes to ensure consistency. The day-to-day administration will consist of a combination of GISMC based NetOps Support Teams and linked-in Enterprise Services Management Centers. This combination will track, manage, and report status of their assigned infrastructure services. The GISMC will evolve over time as the GIG evolves into a more Netcentric architecture with robust COCOM support capabilities at TNCs. The GISMC will provide full-time (24-hour/7-day), near real-time, correlated visibility, monitoring, coordination, control, and management support of the global infrastructure application services on the GIG. The GISMC will develop, monitor and maintain a GIG SA view of the global infrastructure services to ensure timely and efficient delivery of global information across the GIG. To carry out its mission, the GISMC will: Collaborate with the NetOps COI to ensure effective operation and defense of GIG infrastructure application services. Work closely with the GNSC to correlate related degradations, outages and GND events to identify and resolve root causes. Issue technical directives to ensure compliance with JTF-GNO direction. Provide SA information of infrastructure application services. Monitor and collect performance data continuously for those information infrastructure services deemed important by JTF-GNO. Provide system and service status (availability, fault, and performance) information as part of the SA view. Assist in determining the technical and operational mission impacts caused by degradations, outages, and GND events. Perform incident/intrusion monitoring and detection, strategic vulnerability analysis, computer forensics, and responses to GND-related activity. Direct courses of action and coordinate the GND incident response actions across DoD to defend infrastructure services under attack. Determine courses of action and direct restoral of capabilities and services when required. Maintain SA in support of each COCOM s current and near term operations as well as deliberate plans, as required. Maintain security monitoring through an integrated GIG infrastructure services SA view. 24

33 JTF-GNO Service Component Commands The JTF-GNO Service Component Commanders are the Commander, US Army Space and Missile Defense Command (USA SMDC), the US Air Force Commander for USAF NetOps (USAF NetOps / CC), Commander, US Navy Network Warfare Command (USN NETWARCOM) and Commander, US Marine Corps Network Operations and Security Command (MCNOSC). Each of these Service Component Commanders exercises OPCON over their SGNOSC (Figure 5). Figure 5: JTF-GNO Service Components Service Global Network Operations and Security Centers and Computer Emergency / 15 Incident Response Teams The Service Global Network Operations and Security Centers (SGNOSCs) and Computer Emergency / Incident Response Teams (CERT / CIRT) serve as a part of the Service Component to JTF-GNO. The SGNOSC and CERT / CIRT mission is to provide the Service-specific NetOps reporting and SA for the Service s portions of the GIG. The SGNOSC and CERT / CIRT provides worldwide operational and technical support to the Service s portions of the GIG across the strategic, operational, and tactical levels leveraging collaboration of the STNOSCs if established. The Service CERT / CIRT is responsible for executing GND and ensuring the Service s portions of the GIG are secure. 15 It is the intent of the NetOps Concept that the distinction between NOSCs and CERTs be eliminated and that all NetOps functions be performed in integrated Network Operations and Security Centers (NOSCs). However, this idea has not been universally adopted by all Services and the Joint Chiefs of Staff have directed different command relationships between JTF-GNO and the SGNOCs and CERTs / CIRTs. Therefore, the CONOPS must retain the distinction between NOSCs and CERTs / CIRTs. 25

34 CDRUSSTRATCOM exercises OPCON of Service Global Network Operations and Security Centers (SGNOSCs) through the JTF-GNO Component commands. In response to network events or activities, as determined by CDRUSSTRATCOM or Cdr, JTF-GNO, Service Chiefs or Secretaries shall instantaneously attach Service CERT / CIRT to Commander, JTF-GNO who will exercise Tactical Control (TACON) upon contact with service CERT / CIRT until such time that the responses to the events or activities are declared complete by Cdr, JTF-GNO. Upon completion, Service Secretaries will resume control of the CERT / CIRT. In this context, TACON includes the authority for Cdr, JTF-GNO to direct network reconfiguration and defensive actions across the GIG. Cdr, JTF-GNO has the authority to task the Service CERT / CIRT directly, without being required to access the CERT / CIRT through the USSTRATCOM assigned NetOps Service Component. Cdr, JTF-GNO will establish procedures with service CERT / CIRT command elements to coordinate and deconflict low density/high utilization CERT/CIRT resources. 16 The SGNOSC and CERT / CIRT roles and responsibilities include: Provide Service-specific NetOps support to CDRUSSTRATCOM, JTF-GNO and other COCOMs. Provide direct support to GCCs for theater issues when a Service elects not to establish a STNOSC in a GCC s AOR. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Ensure implementation of approved DoD/Service policies and procedures for NetOps. Provide near-real time global SA of Service network and system issues to JTF-GNO and Service leadership. Coordinate problem resolution actions within the Service that effect operations in two or more theaters. Coordinate, execute and/or direct support troubleshooting and restoral actions for Service enterprise, business functions (Personnel, Logistics, Finance etc.) and Title 10 responsibilities in collaboration with JTF-GNO, TNCC/GNCC and STNOSCs. Implement JTF-GNO directed policy and operational measures to ensure near real time, worldwide defense for the Service s portion of the GIG. Report status of Service worldwide terrestrial, space and wireless transmission systems and enterprise services and facilities to JTF-GNO and Service leadership. Maintain Direct Liaison Authority (DIRLAUTH) with other SGNOSCs and AGNOSCs. Establish, in coordination with USSTRATCOM, procedures for dissemination of advisories, alerts, and warning notices, including those originating outside the Service and DoD. Ensure Service-wide compliance with issued IAVAs and INFOCON changes. Coordinate with Service IC to refine Priority Information Requirements in support of GND operations. Through NetOps TTP ensure the effective operation, management, and protection of the Service portions of the GIG in support of net-centric warfare. Provide STNOSC support to GCCs if STNOCS have not been established. 16 Joint Chiefs of Staff Standing CND EXORD, 19 May

35 4.2.2 Combatant Commands Geographic Combatant Commands The GCC exercises OPCON over the GIG assets in their theater and Component NetOps forces and exercises TACON over the TNC for Theater NetOps matters. To accomplish this, all GCCs established a TNCC through which they will maintain SA and exercise OPCON and/or TACON of their apportioned, allocated, or assigned network assets. GCCs have the authority to direct efforts and actions that affect the portions of the GIG in their AORs Theater NetOps Control Center The primary mission of the TNCC is to lead, prioritize, and direct Theater GIG assets and resources to ensure they are optimized to support the GCC s assigned missions and operations, and to advise the COCOM of the ability of the GIG to support current and future operations. In performing its mission, the TNCC exercises OPCON over all Theater systems and networks operated by forces assigned to the COCOM. The TNCC also exercises TACON over the TNC for Theater NetOps issues. The specific roles of the TNCC include monitoring of the GIG assets in their theater, determining operational impact of major degradations and outages, leading and directing responses to degradations and outages that affect joint operations, and directing GIG actions in support of changing operational priorities. The TNCC also responds to JTF-GNO direction when required to correct or mitigate a Global NetOps issue. The TNCC, in advising the COCOM of the GIG s ability to support assigned missions and operations, must remain cognizant of all current, future or contemplated operations involving the GIG. This requires continual contact and coordination with the COCOM s Joint Operations Center. Serving as an operational extension to the COCOM s command center, the TNCC provides GIG SA and operational impact assessments to the Commander and the Joint Operations Center. The TNCC uses the GIG SA view provided by their TNC, component NetOps organizations, and theater Joint NetOps Control Centers (JNCCs) to maintain SA over the portion of the GIG necessary for the success of their COCOM s assigned missions. Although the NetOps SA software application will be a part of an enterprise-wide software capability, the input data requirements and output products (picture/view, reports, etc.) will be user customizable, based on built-in options, to meet the needs of each COCOM. The TNCC is responsible for coordinating the definition and development of the content and scope of the GIG SA information/view for the theater, based on DoD parameters to assure complete integration. This will be based on the Commander s guidance and requirements submitted by subordinate commands. The specifications will be submitted to the TNC, which is responsible for producing and disseminating the GIG SA view. Some level of minimum SA view shall be defined to ensure that all NetOps facilities provide a consistent set of information and to make it easier to integrate and roll-up SA views generated by different theaters or organizations. The TNCCs direct and prioritize required operational actions through their supporting TNC and assigned NetOps forces. System and network management activities, in response to NetOps decisions made by the TNCC, are accomplished through the COCOM s TACON authority over the TNC and through OPCON over forces assigned to the COCOM. By translating the 27

36 COCOM s guidance into information priorities, engaging in NetOps planning, assessing theater- network resource readiness, and coordinating network defense, the TNCC provides the wide expertise to advise senior leadership and provide recommendations on COA concerning NetOps issues having an operational impact on mission accomplishment. To carry out its mission, the TNCC will: Establish uniform 24x7 visibility into the status of the GIG SA view from/to TNC and assigned NetOps organizations. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Establish and retain visibility of system and network outages and customer service shortfalls. Receive, consolidate, and analyze all available reports from the Components, Agencies, JTFs, and deployed units. Direct reporting of NetOps events, conduct analysis of the impact of such events on the operational mission, develop alternate COA, and advise the Commander and other senior decision makers on the status of GIG degradations, outages, GND events, and areas requiring improvement. Prioritize the installation and restoration of system and network services for the TNC and subordinate organizations in the form of a Critical Customer (i.e., decision-maker) listing. Direct, coordinate, and integrate RAs to computer network attacks and significant intrusions affecting the COCOM s portion of the GIG. Direct the theater s response to JTF-GNO directives for correcting or mitigating Global NetOps issues. Coordinate with JTF-GNO to de-conflict the COCOM s Theater NetOps priorities with the Global NetOps priorities of JTF-GNO and USSTRATCOM. Deconflict issues between the TNC and STNOSC/ATNOSC Service Theater Network Operations and Security Centers Service Components supporting a GCC may establish STNOSCs based on the size and topology of their NetOps responsibilities to provide and manage systems and network services. The STNOSC will serve as a single point of contact for their theater elements for systems and network services; GEM, GND & IDM/CS capabilities; and operational reporting. The STNOSC provides GIG SA information to the TNC and the TNCC. In the absence of a STNOSC, the SGNOSC will perform the function of the STNOSC. To facilitate end-to-end management, and maintain the accuracy of the GIG SA information/view, each STNOSC will: Exercise routine, day-to-day management, control, and defense of system and network services provided as part of the GIG. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Comply with GIG SA (visibility and status) reporting requirements for their portion of the GIG as determined by the COCOM. Provide GIG SA information specifically from the TNC Points of Presence (POP) to the Component s deployed forces. 28

37 Provide the TNCC / GNCC and TNC current (near real-time) SA of systems and networks under their control and within their portion of the GIG for retrieval and use by other NetOps centers IAW this CONOPS. Assist the TNC and the TNCC / GNCC in tracking the status of NetOps events and determining the technical and operational mission impacts caused by NetOps events. Respond to a variety of threats using a range of response measures to preclude, or detect, and counter, any threat. Exercise TACON over the system and network resources of their subordinate NOSCs, Network Service Centers (NSCs), and Systems Administrators. The concept of an STNOSC does not imply that each Service must create a physical STNOSC in each theater. Each Service has implemented this concept of a STNOSC in a different way. The following paragraphs describe each Service s method of supporting Theater NetOps. 29

38 United States Army The Army, through SMDC (Space Missile Defense Command) / ARSTRAT, the Army Service Component Comm and to STRATCOM, and with support from Intelligence and Security Command (INSCOM), directed NETCOM/9 th ASC (Network Enterprise Technology Command/9th Army Signal Command) to operate, manage, and defend the network at the enterprise level infrastructure. Army NetOps applies centralized management, decentralized execution through a tiered NetOps force structure supporting seven Army Service Component Commands: ARSTRAT, USARPAC, USAREUR, USARSO, USARCENT, EUSA and ARNORTH. The Army s three tiered NetOps operational structure consists of: the Army Network Operations and Security Center (ANOSC); Theater Network Operations and Security Center (TNOSC); and the Regional Network Operations and Security Center (RNOSC). The ANOSC is integrated with the 1st Information Operations Command (1st IO CMD - LAND) Army Computer Emergency Response Team (ACERT) to create a consolidated NetOps Center called ANOSC/ACERT Tactical Operations Center (A2TOC), and each TNOSC is integrated with a Regional Computer Emergency Response Team (RCERT). This alignment of organizations has provided a critical synergism of effectiveness and efficiency to receive, distribute, and analyze information in order to integrate, synchronize, and coordinate CNO. For purposes of this CONOPS, only the top two tiers of the Army NetOps structure are presented. In this CONOPS the ANOSC is referred to as the SGNOSC and the TNOSC is referred to as the STNOSC. Serving as the single Army service NetOps authority, the ANOSC directs, operates, manages, and defends the Army s portion of the GIG network infrastructure at the enterprise level. The ANOSC provides worldwide operational and technical support to the LandWarNet across the tactical and strategic levels. It provides to decision makers a comprehensive, integrated, near real-time, situational awareness, operational reporting capability and SA; operationally integrates GEM, GND, and IDM/CS technologies and procedures. The ANOSC interfaces with JTF-GNO through an OPCON relationship, other service NOSC s through a Supporting relationship, and with all Army TNOSC s through a technical control (TECHCON) relationship. The Army TNOSC assists the ANOSC in managing the service s portion of the GIG network and acts a single point of contact for Army network services, operational status, and anomalies in the theater and to other Services operating in the theater. The TNOSC is the single point of contact that provides visibility and status information to the ANOSC, Component Command TNCC, and the JTF-GNO s TNC on NetOps issues/events for the Army s portion of the GIG network. 30

39 Figure 6: US Army NetOps Forces 31

40 United States Navy The US Navy is transforming their Naval Telecommunications Master Station (NTCMS) construct to support the STNOSC concept. NETWARCOM will create two RNOSCs that will provide STNOSC support to the GCCs. The RNOSC-East will support USEUCOM, USSOUTHCOM and USNORTHCOM. The RNOSC-West will support USPACOM and USCENTCOM. The STNOSC provides direct support to the GCC s TNCC, TNC, and Navy Forces (NAVFOR) for theater NetOps issues and events. Figure 7: US Navy NetOps Forces 32

41 United Sates Marine Corps Service Theater Network Operations and Security Center services for Marine Corps components are provided virtually/remotely by the Marine Corps Network Operations and Security Command (MCNOSC) from Quantico, Virginia. The MCNOSC, as the Marine Corps SGNOSC, is currently assigned OPCON as a component to the JTF-GNO. Therefore, it will not be assigned OPCON to the Service components of the GCCs. Rather, the MCNOSC provides direct support to the GCC s TNCC, TNC and Marine Forces (MARFOR) for theater NetOps issues and events. The MCNOSC in its entirety is potentially available to fulfill its direct support responsibilities. However, the MCNOSC Command Center is the point of entry to the MCNOSC for theater NetOps requirements and requests for support. The Command Center will allocate available internal resources and coordinate delivery of MCNOSC direct support. Figure 8: US Marine Corps NetOps Forces 33

42 United States Air Force The USAF designed their Network Operations and Security Center (NOSC) construct around their Major Commands (MAJCOMS). This construct puts an Air Force STNOSC in each deployed theater as part of the Theater Air Force. In CONUS, there are several MAJCOM NOSCs, all reporting to the USAF NOSC at Barksdale Air Force Base. However, the critical MAJCOM NOSC in CONUS is the Air Combat Command NOSC supporting US Northern Command. Figure 9: US Air Force NetOps Forces 34

43 Functional Combatant Commands FCCs have a global mission, often providing support to the GCCs, and, as such, have a global requirement for NetOps support. Some FCCs operate their own specific functional global networks (e.g., SCAMPI, Joint National Training Capability, Global Transportation Network, Ballistic Missile Defense). As such, the FCCs will receive direct support from the GNSC and general support from USSTRATCOM, JTF-GNO, and all TNCs. FCCs will exercise OPCON over their portions of the GIG through their GNCC, which will coordinate the FCC s NetOps requirements with the GNSC and the TNCCs Global NetOps Control Center The primary mission of a GNCC is to advise the FCC and ensure the portion of the GIG resources supporting that Commander s assigned missions and operations are optimized. To be effective, each GNCC must remain cognizant of all current, future, or contemplated operations in which their portions of the GIG will play a role. The GNCCs monitor the COCOM s GIG assets, determine operational impact of major degradations and outages, and coordinate responses to degradations and outages that affect joint operations. Each GNCC will coordinate with the GNC and supporting TNC any mission or operational impacts that are associated with system/network anomalies or resource limitations. Additionally, the GNCC has DIRLAUTH with the TNCCs. This authorization gives the GNCCs and TNCCs the ability to directly coordinate scheduled changes in the GIG or troubleshoot outages. The GNCC collaborates with the NetOps COI to ensure effective operation and defense of the GIG Sub-Unified COCOMs may organize a Sub-Unified Command and assign tailored forces from among the four Service components and Special Operations Forces (SOF) to the Sub-Unified Commander. The COCOM assigns the Sub-Unified Commander OPCON of designated forces. Sub-Unified Commands may establish Sub-Unified NetOps Control Centers (XNCCs) with responsibilities and relationships similar to a STNOSC. The Sub-Unified Command s NOSC will serve as a single point of contact for their subordinate elements for systems, network services, and reporting Sub-Unified NetOps Control Center XNCCs will provide GIG visibility and status information to the GCC s TNCC and TNC to facilitate end-to-end management and maintain accuracy of the NetOps SA view. XNCCs will: Exercise routine, day-to-day management and control of those system and network services provided as part of the GIG. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Comply with GIG SA (visibility and status) reporting requirements for that portion of the GIG as determined by the COCOM. 35

44 Provide the GCC s TNCC and TNC current (near real-time) SA of systems and networks under their control and within their portion of the GIG. Provide the TNCC with mission impact assessments of system and network events Joint Task Force The JTF Commander shall exercise OPCON of the joint force systems and networks through a JNCC as detailed in Chairman, Joint Chiefs of Staff Manual (CJCSM) and CJCSM CJCSM details the responsibilities of the JTF Commander and the JNCC with respect to NetOps. This CONOPS may duplicate portions of CJCSM , in the interest of completeness Joint NetOps Control Center The JNCC manages the tactical communications of the joint force, serving as the NOSC for the deployed portion of the GIG supporting a JTF. It exercises staff supervision over C4 NSCs belonging to deployed components and subordinate commands. The JNCC provides the GCC s TNCC and TNC with: Deployed network SA information. Mission impact assessments of system and network events. GIG requirements beyond the JTF s current assets or authority. Collaboratation with the NetOps COI to ensure effective operation and defense of the GIG Defense Agencies The Defense Agencies provide, operate, and maintain a large portion of the equipment, personnel, and other resources that make up the GIG. Execution of these functions requires the Agencies to be actively engaged in NetOps of the GIG. To execute these functions, most Agencies have established NOSCs which maintain SA of their portions of the GIG. In this CONOPS these organizations are called Agency Global NOSCs (AGNOSC). These AGNOSCs serve as a central point of contact for matters concerning the resources they provide to the GIG. DoD Agencies will align their AGNOSCs to provide USSTRATCOM visibility and insight of their GIG status and will follow the orders and directives issued by JTF-GNO. Agencies will maintain a global perspective of their GIG assets and provide Agency specific support to the Global NetOps mission. This Global SA is necessary for the Agency to properly provide the equipment, personnel, and other resources they contribute to the GIG DoD Agency Theater Network Operations and Security Centers DoD Agencies supporting a COCOM may establish ATNOSCs based on the size and topology of their NetOps responsibilities to provide and manage systems and network services. The ATNOSC will serve as a single point of contact for their theater elements for systems and network services, NetOps capabilities, and operational reporting. The ATNOSC will provide GIG SA information to the TNC and the TNCC. To facilitate end-to-end management and maintain the accuracy of the GIG SA information/view, each ATNOSC will: 36

45 Exercise routine, day-to-day management, control, and defense of system and network services provided as part of the GIG. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Comply with GIG SA (visibility and status) reporting requirements for their portion of the GIG as determined by the COCOM. Provide GIG SA information specifically from the TNC POPs to the Component s deployed forces. Provide the TNCC / GNCC and TNC current (near real-time) SA of systems and networks under their control and within their portion of the GIG for retrieval and use by other NetOps centers IAW this CONOPS. Assist the TNC and the TNCC / GNCC in tracking the status of NetOps events and determining the technical and operational mission impacts caused by NetOps events. Respond to a variety of threats using a range of response measures to preclude, detect, or counter any threat. Exercise TACON over the system and network resources of their assigned NOSCs, NSCs, and Systems Administrators DoD Agency Global Network Operations and Security Center The DoD Agencies that are not part of the IC operate enterprise-wide systems as part of the GIG. These systems provide critical support to the DoD, COCOMs, and Military Services. Ma intaining SA of these systems is key to operating and securing the GIG. Non-IC DoD Agencies will designate an Agency Global Network Operations and Security Center (AGNOSC) or other agency organization to execute global network operations and defense actions for their agency, under the direction of CDRUSSTRATCOM. Responsibilities of DoD AGNOSCs include: Ensure implementation of approved DoD policies and procedures for NetOps. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Provide near-real time global SA of Agency networks and systems to JTF-GNO. Coordinate, execute and/or direct support troubleshooting and restoral actions for Agency networks and systems. Implement policy and operational measures to ensure near real time, worldwide defense for the agency s portion of the GIG. Report status of Agency worldwide terrestrial, space and wireless transmission systems, enterprise services, and facilities. Maintain DIRLAUTH with other SGNOSCs and AGNOSCs. Establish, in coordination with USSTRATCOM, procedures for disseminating GND and related advisories, alerts, and warning notices. Monitor Agency compliance with issued IAVAs and INFOCON changes. 37

46 Defense Information Systems Agency DISA performs significant NetOps support functions. Under the direction of CDRUSSTRATCOM, DISA manages operational control over information services, IT environments, and computing processing centers for all DoD Components. DISA will: Ensure visibility of the GIG DISN, DISA computing services, and DISA applications to provide status and performance and infrastructure data for the NetOps SA view. Collaborate with the NetOps COI to ensure effective operation and defense of the GIG. Establish, develop, and implement the NetOps SA technical backbone under the guidance of CDRUSSTRATCOM. Coordinate with the Heads of the DoD Components to establish NetOps in their GIG architectures and IT standards. Act as the DoD single point of contact for the GIG and DoD IT standards development (including information processing and information transfer). Collect, evaluate, and share NetOps-relevant, GIG metrics and performance measurements following the guidance of CDRUSSTRATCOM. Exercise operational authority for NetOps in support of USSTRATCOM operations. Manage and monitor NetOps operational control of the IT environment and computing processing centers following the guidance of CDRUSSTRATCOM. Staff and train TNC personnel to operate TNC facilities in accordance with USSTRATCOM policy and directives. Support CDRUSSTRATCOM, identification and tracking of activities that affect security and performance to include real-time alerts and warnings for anomalies and real-time response to detected attack activities Interagency One of the key elements in future NCOW is integrating U.S. military relationships with interagency, coalition, multinational, and NGO actors over the course of an operation. USNORTHCOM has a large, new role involving multinational, NGO, interagency, and intergovernmental partnerships and relationships. This integration will require cooperation, coordination, and synchronization among the U.S. military components and their partners. As their interactions will be dictated by a combination of policy and capability, they may have both significant positive and negative impacts on the agility of the organizations and processes supporting C2 and the behavior of the mission network overall. 17 Joint C2 will need to provide a mechanism for organizations, regardless of location, level, or function, to rapidly integrate physically or virtually. To do this, joint teams that regularly train together and have a foundation of common TTPs must be created. C2 processes will need to be developed that allow for multiple players, distributed globally, to form communities of interest as necessary, and to manipulate information based on their individual and collective requirements. 17 Joint Command and Control Functional Concept, February 2004, p

47 The NetOps COI must be able to rapidly link the GIG to other organizations as required to share information. We must develop NetOps TTPs that allow commanders to connect the GIG to other organization s networks in an interoperable yet secure manner. The NetOps COI must be prepared to work with the following types of organizations: Non-DoD USG Organizations Intergovernmental Organizations Nongovernmental Organizations Multinational Military Commands (Alliances and Coalitions) State and Local Governments Commercial and Research Communities Director of National Intelligence The DNI, through the Intelligence Community-Chief Information Officer (IC-CIO), will develop joint procedures with the DoD CIO for NetOps and status information sharing of the IC 18 Networks. The IC-CIO oversees the Intelligence Community-Incident Response Center (IC- and represents the IC in the NetOps IRC). The IC-IRC is the IC s single focal point for IC network incident reporting and management COI Intelligence Community Incident Response Center JTF-GNO will collaborate with the IC-IRC, a key interagency organization. The IC-IRC is the IC s single focal point for IC network incident reporting and management. As per the SECDEF Memorandum, June 18, 2004, activities involving IC networks, specifically SCI networks, will be coordinated in accordance with joint procedures approved by the SECDEF and the DNI. Due to the close inter-dependencies that DoD and IC components have on each other s networks, it is essential that reporting procedures be in place to ensure rapid coordination and defense of DoD and IC networks National Security Agency NSA performs significant NetOps support functions. NSA provides IA products, solutions, and services, as well as the operational attack sensing and warning (AS&W) mission NSA executes in support of defending the GIG. NSA will: Serve as the National Manager responsible to the Secretary of Defense for the security of telecommunications and information systems that are defined as NSS per 44 U.S.C. As National Manager, operate and maintain the National Security Incident Response Center that serves as the coordination point for all National Security Incidents. Responsible for Communications Security (COMSEC), specifically, IA in general and CND in accordance with NSD 42, DoDD C , and Ensure availability of IA products and technology. 18 Secretary of Defense Memorandum, Assignment and Delegation of Authority to Director, Defense Information Systems Agency (DISA), 18 Jun

48 Continual monitoring of DoD and its contractor s telecommunications and developing allsource assessments of adversarial threat. Establish business processes for identifying and acquiring approved IA technology. Review the budgets, and resource allocation for IA activities of the DoD. Conduct research and development activities to generate IA techniques and solutions. Develop the IA technical framework. Plan and manage the DoD PKI. Provide layered protection for DoD cryptologic SCI systems. Certify and Support CND Services for Special Enclaves. Coordinate the design development and maintenance of Special Enclave information systems and databases. Provide network AS&W support to DoD component. Provide tailored, all-source, current and long-term analysis addressing the threat of intrusions into the GIG. Collaborate with the NetOps COI in the effective operation and defense of the GIG. Provide network AS&W support to JTF-GNO and USSTRATCOM. Develop architectural standards, policy, and information systems security engineering (ISSE) guidance, IA products, Defensive Information Operations (DIO) services, and key management products and services. Provide GIG SA of the NSA/CSS secure communications network and external GIG connectivity points to IC-IRC. Provide analytical and operational support for any CND RA being evaluated. Develop the Information Assurance components of the GIG architecture at the direction of ASD-NII. Provide Signals Intelligence relevant to Indications and Warning on Foreign Threats to the GIG and on capabilities and intentions of potential adversaries The Defense Intelligence Agency The Defense Intelligence Agency (DIA) performs significant NetOps functions. DIA will: Be responsible for developing, implementing, and managing the configuration of information, data, and communications standards for intelligence systems, in coordination with the Joint Staff, Services, other agencies, and OSD. Establish defense-wide intelligence priorities for attaining interoperability between tactical, theater, and national intelligence related systems and between intelligence related systems and tactical, theater, and national elements of the GIG. Exercise operational management of JWICS via the JWICS Network Operations Center. Provide required reports to the IC IRC as defined in paragraph Provide GIG situational awareness of the JWICS and external GIG connectivity points to JTF-GNO. 40

49 Assign IP addresses for DoD SCI users. DIA shall coordinate IP address assignments with DISA to preclude establishing duplicate IP addresses National Communications System The National Communications System (NCS) coordinates National Security/Emergency Preparedness communications for the Federal Government as well as the Communication Emergency Support Function under the National Response Plan. The National Coordinating Center (NCC) within th e NCS serves as the Information Sharing and Analysis Center (ISAC) for the telecommunications industry. As such, the NCS/NCC functions as an important link for the JTF-GNO a nd USNORTHCOM with the telecommunications industry. This link can be exploited to assist in commercial circuit restoration. Additionally, the NCS provides the JTF- GNO access to all Federal Government Priority communications systems including the Government Emergency Telecommunications Service (GETS), the Wireless Priority System (WPS) and the Telecommunications Service Priority (TSP) system. The NCS, as the lead for the National CIP Telecommunications Sector, can also assist on critical infrastructure analysis of the commercial telecommunications assets upon which the DoD depends. 4.3 NetOps C2 Structure Global NetOps C2 Figure 10 graphically portrays the C2 relationships for Global NetOps. CDRUSSTRATCOM is the Supported Commander for Global NetOps. The other COCOMs are Supporting Commanders to USSTRATCOM for Global NetOps. This relationship gives CDRUSSTRATCOM the authority to direct the CC/S/As to take action to ensure the availability and integrity of the GIG. While this Supported relationship gives CDRUSSTRATCOM global authority, it does not take away the COCOM s authority over their assigned NetOps forces. For Global NetOps issues, USSTRATCOM will issue orders and alerts through JTF-GNO to the CC/S/A. COCOMs will direct compliance with these directives using their inherent authority over their AOR. This construct will allow USSTRATCOM to exercise its global authority while strengthening the responsibilities of the other COCOMs. The TNCs fall under the OPCON of JTF-GNO for Global NetOps issues. This will allow the JTF-GNO to immediately direct action by the TNCs when necessary to protect the GIG. JTF-GNO will ensure that the Combatant Commanders are informed about all Global NetOps issues. However, on occasions when immediate responses are necessary, the Combatant Commanders will be notified concurrently as the response actions are being made. This OPCON relationship gives JTF-GNO the authority to issue immediate directives when necessary. However, the TNCs will provide direct support to the TNCCs and general support to the GNCCs in executing JTF-GNO Global NetOps directives. JTF-GNO will exercise OPCON of Service NetOps units, to include NOSCs and CERTs, as assigned by CDRUSSTRATCOM. Defense agencies will follow the NetOps orders and directives issued by USSTRATCOM and JTF-GNO. Service and Agency Systems Management Centers (SMC) and Central Design Authorities (CDA) are in general support of JTF-GNO ensuring that the systems they operate or provide as parts of the GIG are compliant with JTF- GNO guidance. 41

50 Figure 10: Global NetOps C2 42

51 4.3.2 Theater NetOps C2 Figure 11 graphically portrays the C2 relationships for Theater NetOps. GCCs are the Supported Commander for Theater NetOps. GCCs have the authority to direct efforts and actions that affect the portions of the GIG in their AORs. The GCC exercises OPCON of all assigned NetOps forces and GIG assets in their theater. The USSTRATCOM TNC is under the TACON of the GCC for Theater NetOps issues. The GCC TNCC is responsible for the operation of the GIG assets in their theater and issues directives to the TNC and Component NetOps organizations to ensure that the GIG assets in their theater supports the theater mission. USSTRATCOM and JTF-GNO are in support of the GCC and ensure that the GIG is capable of supporting the GCC s requirements. When there are conflicts or resource contention between COCOMs requirements, JTF-GNO will de-conflict resource requirements. Competing resource requirements that cannot be resolved will be forwarded through CDRUSSTRATCOM to the CJCS for adjudication. The Services and Agencies may establish theater-level NOSCs or provide 24x7 theater level responsiveness to GCC direction, requests for information, and SA. Either the global or theater NOSC will provide theater GIG visibility to the TNC and other DoD Component NOSCs as required. This Service/Agency NOSC will also serve as a central point of contact for operational matters and emergency provisioning for a supported COCOM. This will enable improved GIG SA at all levels of the command structure and facilitate end-to-end GIG management. Figure 11: Theater NetOps C2 43

52 5 Collaborative NetOps C2 Process The source of flexibility is the synergy of the core competencies of the individual Services, integrated into the joint team. ~ Joint Vision Overview C2 is the ability to recognize what needs to be done in a situation and to ensure that effective actions are taken to achieve the desired effect with minimum adverse impact. At its core, C2 is about decision-making and the individuals who make decisions. NetOps C2 must be a joint decision-making process that is dynamic, decentralized, distributed, and highly adaptive. Enabled by a robust, secure, integrated network, and through the employment of CIEs, the NetOps COI will possess a seamless C2 capability. Supported by skilled personnel trained in joint NetOps and standardized NetOps TTPs, the NetOps COI will be able to create desired GIG effects at the right time and place to accomplish the mission. As discussed in the Joint Command and Control Functional Concept, the Joint C2 process is envisioned as the way that net-centric forces will execute C2. The Joint C2 approach applies to all echelons of command, across all military functions, and encompasses the full range of military operations. It consists of a combination of both the basic C2 and the collaborative C2 processes. The basic C2 process is the systematic and continuous process that commanders perform in order to recognize what needs to be done and to ensure appropriate actions are taken. Collaboration is defined as joint problem solving for the purpose of achieving shared understanding, making a decision, or creating a product. In the context of Joint C2, collaboration is enabled by the CIE and is used to coordinate, accelerate, and ground in an expanded information resource base, the development of decisions and actions across multiple basic C2 process loops. As a net-centric operation, the Joint C2 and Net-Centric Environment Joint Functional Concepts as well as joint doctrine 19 guide the design of the NetOps C2 process that is described in this CONOPS. The NetOps C2 process will allow the NetOps COI, an extremely diverse and dispersed community, to interact with directness, informality, and flexibility typical of small cohesive teams. It will allow the NetOps COI to rapidly adjust its C2 system to the situation at hand rather than rely on one size fits all procedures. And it will allow the NetOps COI to exploit the benefits of decentralization initiative, adaptability, and tempo without sacrificing coordination and unity of command. As the COCOM responsible for Global NetOps, CDRUSSTRATCOM influences NetOps outcomes by: Defining the commander s intent Designating the priority effort(s) 19 JP 0-2 Unified Action Armed Forces, 10 Jul 2001, pp. III-14 thru III

53 Prioritizing and allocating resources Assessing risks Deciding when and how to make adjustments Committing reserves Staying attuned to the needs of the NetOps COI Within CDRUSSTRATCOM s intent, commanders at all levels make similar NetOps decisions to ensure that the GIG supports their mission requirements. 5.2 NetOps C2 Process NetOps C2 processes will be performed collaboratively to improve the speed and quality of the individual decisions and allow for the rapid and continuous synchronization of multiple decisions to achieve un ity of effort for the GIG. Commanders will rapidly tailor their C2 capabilities to any situation and will be able to exploit the benefits of decentralization initiative, adaptability, and tempo and achieve flexible synchronization of NetOps without sacrificing unity of command. This will be achieved through a CIE that enables cohesive teams, regardless of location, to develop a shared understanding of the commander s intent and the status of the GIG, thereby enabling superior NetOps decision-making The Basic NetOps C2 Process and Its Component Functions The basic NetOps C2 process is the systematic execution of the functions that an individual commander is required to perform in order to recognize what needs to be done and to ensure that the GIG operates effectively. Each commander, regardless of echelon or function, performs the same basic NetOps C2 process 20 (see Figure 13). The basic C2 functions are listed below. Monitor and collect data on the GIG. Develop an understanding of the status of the GIG. Develop a course(s) of action and select one. Develop a plan to execute the selected course of action. Execute the plan, to include providing direction and leadership to subordinates. Monitor execution of the plan and adapt as necessary. 20 Boyd, John, COL (ret). Patterns of Conflict. Briefing on competitive organizations; December The Observe- and cyclical nature of C2 and illustrates the Orient-Decide-Act model of C2 (OODA Loop) captures the continuous basi c process. Though Boyd s model is intended to deal with decision making by individuals and groups, it is only being referenced here to the decision making by individuals. 45

54 Develop and Select a Course of Action Develop a Plan Develop an Understanding Of the Situation Execute the Plan Monitor and Collect Data Monitor Execution and Adapt as Necessary Figure 12: The Basic C2 Functions and Process Monitor and collect data on the situation The ultimate objective of this step in the NetOps C2 process is to discover unresolved NetOps Events and the detrimental effect they have on the network. These events could be anything from a very short network outage that corrects itself to a large catastrophic outage. Events range in severity from small probes of our networks to full scale network attacks. Detecting a NetOps Event is often done using automated monitoring systems. But network users or administrators noticing unusual behavior of the network also detect NetOps Events. Knowing that networks are experiencing unresolved NetOps Events, requires alert system administrators and network managers with properly configured network monitoring and intrusion detection software. This is in many respects the most important aspect of Network Operations because you don t know what you don t know. The majority of the effort of organizations that monitor the networks is spent looking for unresolved NetOps Events. This phase of the NetOps C2 Process requires great diligence and attention to detail. If network-monitoring personnel do not pay close attention to their monitoring systems and user complaints, NetOps Events can go unnoticed and can significantly degrade the performance of the GIG Develop an understanding of the situation Once a NetOps Event is identified, the next step is to determine the nature, extent, severity, and impact for the purpose of characterizing, informing, and responding. In general, the objective of this step is to answer the following questions. What is the nature of the NetOps Event? What is the impact to the GIG? Who or what is causing the problem and why? 46

55 What is the impact on current and planned operations? Of these four questions, determining the Operational Impact is by far the most important. For example, a large, technically complex, network outage that has no Operational Impact is much less significant than a small, simple outage that has a significant Operational Impact. Determining the Operational Impact of a NetOps Event is the critical result of this stage of the C2 Process, requiring knowledge of the networks and systems associated and the users affected. Additionally, determining the Operational Impact must not preclude timely notification of a NetOps Event. When a NetOps Event has been identified and an initial assessment is complete, the identifying organization is responsible for expeditiously informing higher, lower and lateral organizations. Some NetOps Events are so critical that they require real-time information required to alert, mitigate or respond to the potential damage caused. Other NetOps Events are less critical and can be reported using less timely means. It is imperative that network operators are aware of the reporting requirements and methods for each type of NetOps Event and rapidly inform the higher, lower and lateral organizations. Also of key importance here, is informing the affected organization(s) as soon as possible Develop a course(s) of action and select one & Develop a plan to execute the selected course of action Once the commander gains an understanding of the NetOps Event, the commander decides on a course of action. Deciding on a course of action in structured or analytic decision-making consists of developing several alternatives, assessing the alternatives and then selecting the best one. 21 In the case of well-understood or rapidly unfolding situations, the decision is made quickly, with little consideration of developing or assessing alternative courses, in a more intuitive decision-making style. These two steps of the NetOps C2 Process are often conducted simultaneously and consist of develop ing response options and COA, as well as coordination of those decisions to halt and/or mitigate the effects of the NetOps Event on the GIG. The objective of this phase is to determine those actions that will defeat intrusions and/or mitigate the effects. This phase includes: Identification of response options. Development of COA based on one or more response options. Coordination with the GNC, TNC, TNCC/GNCC, NOSC and other organizations Execute the plan, to include providing direction and leadership to subordinates Once the decision is made, the commander puts the decision into action or instructs others to act in support of the chosen course of action and exercises leadership to motivate others in executing the decision. This step includes: 21 A course of action may seek to manipulate the adversary s level of uncertainty and understanding of the operating environment. 47

56 Issuing appropriate orders and direction to the NetOps COI. Execution of the selected COA Monitor execution of the plan and adapt as necessary Monitoring the execution of the plan allows the commander to observe the results of the decisions and to adapt as the process starts again. As this Operational Process is cyclical, it may often take several iterations of the cycle to fully resolve the NetOps Event. For significant NetOps Events, this continuous cycle could span days or weeks until the event is resolved. This process is very generic, but it outlines the general technique for responding to any type of N etops Event. However, each NetOps Event will be different and will require attentive personnel in each NetOps organization that can quickly recognize the unique characteristics of each event. 5.3 Collaboration Collaboration is joint problem solving for the purpose of achieving shared understanding, making a decision or creating a product. It allows experts to integrate their perspectives to better interpret situations and problems, identify candidate actions, formulate evaluation criteria, and decide what to do. In the context of NetOps C2, collaboration is used to coordinate the development of decisions and actions across multiple basic NetOps C2 process loops. Commanders need to be able to share their observations, understanding, decisions and actions regarding a situation with other commanders. Collaborating allows commanders to get better GIG SA, a deeper understanding of the GIG environment, to better comprehend how their decisions will effect the GIG environment and to coordinate their limited resources with others to achieve maximum effect in the pursuit of mission success. Collaboration is enabled through a CIE Collaborative C2 Functions The collaborative C2 functions tie together the basic C2 process loops across echelons and functions through collaboration. The collaborative C2 functions give the C2 system its agility 22 and give the commander flexibility in choosing a command methodology. They support the basic C2 functions by providing the commander with access to the observations, understandings, decisions, and actions of other friendly force commanders. They help a large dispersed group that is governed by explicit rules and procedures to behave more like a small close group whose relationships are implicit and informal. The collaborative C2 functions allow teams, such as the NetOps COI, to be formed quickly from across the echelons and functions to work on specific issu es. They support the decentralization of C2, which increases the initiative, adaptability and 22 Three command methodologies are postulated in Thomas J. Czerwinski, Command and Control at the Crossroads, Parameters, Autumn, 1996, pp The three principle methodologies are command by direction, command by plan and command by influence. They prescribe an increasing level of decentralization in the command structure with command by direction having the most centralized structure and command by influence having the most decentralized. 48

57 tempo of operations without losing synchronization with other friendly forces. The collaborative C2 functions enable the commander to maintain unity of effort and unity of command. They include: Networking: Networking is the connecting together of all the decision-makers across echelons and functions. Networking is enabled by a communications and data infrastructure em ploying a robust set of standards that facilitate the exchange of information. It also facilitates the interaction across echelons and functions. Interacting: Interacting is the social part of networking and is the heart of collaboration. Interacting is facilitated by the development of cohesive teams using collaborative information tools to exchange information across a network that spans echelons and functions. Interacting supports the development of trust and the art of command. Sharing information: Sharing information makes information available and accessible to commanders. It assures that all commanders are operating from the same baseline of information. 23 Sharing information improves the quality of awareness and understanding. Sharing awareness: Sharing awareness is sharing an initial understanding of the operational environment such as the current status of the GIG and the current operational impact assessment. Sharing awareness improves commanders understanding because each of them is working from the same basic information about the GIG. Sharing understanding (including sharing commander s intent): Sharing understanding is a deeper understanding of the GIG framed by the experience and intuition of commanders across echelons and functions. Sharing understanding allows subordinate decision-makers to understand how higher echelons are viewing the overall situation and that allows the subordinates to make better decisions and to better coordinate their actions with others. Sharing understanding and the commander s intent allows subordinate commanders to undertake initiative that is in line with the higher echelons view of the situation. Sharing understanding allows NetOps C2 to be more decentralized and more responsive to small but important changes in the operational environment. It improves the overall speed and quality of decisions. Deciding: Decisions made in a collaborative environment are those made by multiple decision-makers working together. This is not decision by committee; it does not require a consensus. It gives each commander an understanding of the decisions being made by others in pursuit of the mission goals. By making decisions based on the explicit decisions of others, commanders can make more effective use of their forces because there is less likelihood of their working at cross purposes. Synchronizing: Synchronizing arranges NetOps actions in time, space, and purpose to produce maximum GIG effectiveness. It brings the actions of the NetOps COI as a whole into line with the commander s intent in order to accomplish the NetOps objectives. Synchronizing allows the commander to make maximum use of the limited resources available by coordinating their timing and actions. It helps commanders build and maintain unity of effort across operations that have a diverse set of actors with a range of capabilities. 23 Overall access will be guided by established information security policies. 49

58 Sharing Understanding Deciding Interacting Sharing Awareness Synchronizing Sharing Information Networking Info Sources Operating Environment Forces Collaborative C2 Process Chain Figure 13: Collaborative C2 Process Each of the collaborative NetOps C2 functions builds on the volume and quality of interaction among commanders moving through their basic C2 process loop. Commanders who interact frequently and meaningfully throughout the basic C2 process loops are able to make consistently better decisions than those who interact less frequently. The collaborative C2 process chain in Figure 14 shows the value added relationship among the collaborative C2 functions. 5.4 Linking the Basic and Collaborative NetOps C2 Processes The collaborative NetOps C2 process improves the execution of the basic NetOps C2 process, both in terms of quality and speed, by providing the individual commander with access to the information and understandings of other commanders involved with the same mission. By sharing information, SA and understanding, individual commanders are able to improve their ability to monitor and collect data on the GIG because they have access to the collection capabilities of other units. The individual commander is able to develop a more thorough understanding of the situation by being able to tap into the experience and perspectives of other individual commanders. COA, the selection of a course of action and the development of plans to execute the course of action can be developed and executed with the collective knowledge of the decisions and plans of others. This allows commanders to choose among command by direction, plan or influence. All commanders, with an understanding of the assumptions and information available, can monitor the execution of the plan when the course of action was developed and selected. This allows them to better adapt their future decisions to the dynamics of the NetOps environment. Figure 14 depicts the relationship between the basic and collaborative C2 processes. Networking, sharing information and interacting are in the center of the diagram because they are the respective technical, organizational and cognitive (social) functions that provide the interconnection between sharing awareness, sharing understanding, deciding, and synchronizing. 50

59 Figure 14: Linking the Basic and Collaborative C2 Processes 5.5 NetOps Shared Situational Awareness Overview Because of the increasing diversity and scope of organizations and forces involved in NetOps, the interactions between them become more complicated, requiring new and more capable collaborative efforts. It is within this area that individuals develop SA and share this awareness with other entities to produce a shared awareness. This leads to improved understanding at the individual level and to improved shared understanding. This process enables the creation of faster, higher quality decisions both individually and collaboratively, as the situation requires NetOps Situational Awareness Capability An essential enabling capability of NetOps is achieving shared SA of GIG system, network, information availability, and identification of resources use. The primary purpose is to enhance knowledge of the GIG to improve the quality and timeliness of collaborative decision-making regarding the employment, protection and defense of the GIG. To be useful, much of this GIG SA must be available and shared in near real-time by the relevant decision-makers. This will be accomplished in phases through initiatives like establishing reporting criteria, consolidation of reporting mechanisms, providing operational impact assessments, and integrating manual/semiautomated mechanisms with real-time network and system reporting solutions. This shared GIG SA will be derived from common reporting procedures and requirements using enterprise-wide management tools. These tools will collect (or receive), analyze and fuse GEM, GND and IDM/CS data in near real-time to produce user-defined views of the mission critical 24 Net-Centric Environment Joint Functional Concept, Version 0.9, 8 November 2004, p